ninjamiefandomcom-20200214-history
GlobalProtect
'3 Essential Components of GP:' *'GlobalProtect ''PORTAL' = maintains the list of all Gateways, certificates used for authentication, and the list of categories for checking the end host. *'GlobalProtect GATEWAY' = provides security enforcement for traffic from the GP Agent, 1 or more interfaces on 1 or more PAN firewalls. Can be internal (in the LAN) or external (where deployed/reached via internet). *'GlobalProtect AGENT' = Agent software on the laptop that is configured to connect to the GP deployment. 'License Requirements: *'''GlobalProtect Portal License = 1 time license **Required for: HIP check (host information profile), multiple external gateways, and internal gateways *'Gateway Subscription' = 1 or 3 year subscription **Required for: iOS and Android App and HIP Check (host information profile). Will not need license for 1 external gateway or 1 portal. 'Required Certificates' *Certificate Authority (CA) certificate *GlobalProtect Portal Certificate *GlobalProtect Gateway Certificate *(OPTIONAL) GlobalProtect Client certificate Check list #GlobalProtect Client downloaded and activated on the PAN firewall #Portal Configuration #Gateway Configuration #Routing between the trust zones and GlobalProtect clients. In some cases between GlobalProtect clients and the untrust zones) #Security and NAT policies permitting traffic between the GP client and trust ##OPTIONAL: NAT policy for GP clients to go out to the internet (if split tunneling is NOT enabled) #for iOS devices to connect, XAUTH configuration. 'GlobalProtect GATEWAY' *Provides security enforcement for traffic from GlobalProtect clients *Requires a tunnel interface for external clients *Tunnel interfaces are optional for internal gateways 'GlobalProtect PORTAL' *Authenticates users initiating connections to GlobalProtect *Stores client configurations *Maintains lists of internal and external gateways *Manages CA certificates for client validations of gateways 'GlobalProtect AGENT' *Authenticates connection against the portal *Establishes connection with gateways *Sends HIP reports *Allows users varying levels of control over the connections 'Configuring GlobalProtect' #Create Server Certiticate #Configure user authentication #Create a tunnel interface #*Routing Between the trust zone and GlobalProtect client. In some cases, between the GP clients and the untrust zones. #Configure the gateway #Configure portal #Security and NAT policies permitting traffic between the GP client and Trust. #*Optional: NAT Policies for GP clients to go out to the Internet (if split tunnel is not enabled.) #Download and activate the GP Agent #Commit ** https://live.paloaltonetworks.com/docs/DOC-2904 https://live.paloaltonetworks.com/docs/DOC-2020 '1. GlobalProtect Required Certificates:' Device -> Certificate MGMT -> Certificates *'Certificate Authority (CA) certificate' **To generate a CA cert, check the "Certificate Authority" option. This cert will be used to sign the certs used by the GP gateway and the agents. *'GlobalProtect Gateway Certificate' **Used by the GP Gateway to authenticate the agents. Use the CA cert to sign this cert. **This is done by selecting CA cert in the "signed by" drop down menu *'GlobalProtect Portal Certificate' *'GlobalProtect Client certificate' **GP Portal no longer requires a Client Certificate; if configured to do so, the GP GATEWAY will require a valid client certificate to establish a session. **Also needs to be signed by the CA cert. Device -> Certificate Management -> Certificate Profile How to install a chained certificate signed by a public CA: : https://live.paloaltonetworks.com/docs/DOC-4289 How to generate a CSR: : https://live.paloaltonetworks.com/docs/DOC-4232 How to install a Chained Certificate signed by a public CA: : https://live.paloaltonetworks.com/docs/DOC-4289 : '2. Configuring User Active Directory authentication profile:' Device -> Server Profile -> LDAP #Configure LDAP server profile ##Add AD server and IP address. Use NT domain as Domain Name. #Create Authentication Profile (Device -> Authentication Profile) ##Choose the LDAP server profile created, use sAMAccountName as Login Attribute and LDAP as Authentication. '3. Configure Tunnel Interface and attach Security Zone to it:' Network -> Interfaces -> Tunnel tab 'Configure the Gateway:' Network -> GlobalProtect -> Gateways *Choose the Server Certificate created (EX: GP-RootCA) *Choose Authentication Profile (user active directory auth profile) *Chose Client Cert profile *Choose the Tunnel Interface *and choose the External Interface and IP address of the firewall. 'Access Routes (split tunnel):' *By default all traffic from the client will be sent to the gateway. *Access routes/split tunnels, allow you to define networks that will be accessible by the client through the tunnel. To force all traffic to go through the firewall (even traffic intended for the internet), the network that needs to be configured is "0.0.0.0/0" which means all traffic. *if 0.0.0.0/0 is configured, the security rule can be used to control what internal LAN resources the GP clients can access. *If a security policy does not permit traffic from the GP clients zone to the untrust zone, then from the GP clients connected to the PANFW via SSL VPN will have access to local resources only, and will not be allowed to go to the internet. 'Configuring Portal:' Network -> GlobalProtect -> Portals *Choose the Active Directory Auth profile *Choose the client cert *Choose the server certificate (EX: GP RootCA) *Choose the Client Certificate Profile *Choose an External Interface and IP address of the firewall for the Portal Address. GP Portal -> Client Configuration tab -> Add *This selection defines the parameters that will determine the GP agent behavior. *IF specifying a Group name under client config -> add -> USER/USER Group tab. Make sure to copy the Group Name from CLI (Show user group list) (EX: cn=iteam,ou=groups,dc=casselsbrock,dc=lan) and hit the TAB key after pasting the name. This will make sure there is no break or extra spaces added. SSO = Single Sign-On *Means the user credentials will be pulled automatically from the windows logon information and used to authenticate the GP client user, when they first log into their Windows PC. On Demand *Requires that the user manually connect when access to the VPN is necessary. ONLY ONE OPTION SHOULD BE SELECTED, NOT BOTH. ---- General tab *Give the client config a name (EX: "config-gp") Source User tab *any Gateways tab *Add the IP address of the external interface as the External Gateways (on the right) *(ex: 192.168.5.1 / priority 1) Agent tab *contains important info regarding what users can or cannot do with the GP Agent. *Enabling Agent user override - "with-comment" allows users to disable the agent after entering a reason/comment. The comment will appear in the system logs of the firewall when thi suser logs on next. **Disabling "Agent User Override" = will prevent users from disabling the GP Agent. Data collection *leave default Add GP root CA and/or Microsoft Cert under "Trusted Root CA" 'Configuring GlobalProtect Satellite' GlobalProtect Satellite facilitates an easy deployment for site to site tunnels. Must configure portal, gateway, and satellite. This configuration uses the same interface for both portal and gateway. '1. Certficates used in the config:' ' ' Device -> Certificate Management -> Certificate #'Generate a root CA' named "GP_Root" and a server certificate "GQ_portal_Sat" (for portal and gateway) which is signed by this root CA. #'Export the root CA' (GP_Root) used for portal and gateway in PEM format, without the private key and''' import it to the satellite device'. ##Device -> Certificate Management -> Certificates -> Import ###(will get cert error when authenicating between the portal and satille IF you forget this step) #Ensure that the Server Certificate's CN (Common Name) is configured on the satellite firewall as an IPSec peer. ##Or you will get the cert error "cert common name does not match the config hostname on the satellite" '2. GlobalProtect Portal Configuration: Network -> GlobalProtect -> Portals #'Add the interface '''that will act as a portal and the authentication profile. : 2. ' Configure the satellite configuration by adding the gateways and priorities. *By adding the serial number of the satellite, the portal will bypass the authentication profile configured above and will use the serial number to validate the satellite. Device -> Certificate Management -> OCSP Responder : 3. Configure the portal as an OCSP Responder to verify the certs are signed by GP_Root. '3. GlobalProtect Gateway Configuration:' Network -> GlobalProtect -> Gateways : 1. Use the same interface and IP address used in the GP portal configuration. Add the Authentication Profile and certificate profile which ill be used to authenticate the satellite to the gateway. *Must have Cert profile or the commit will fail. : 2. Able to have the gateway accept all/selective routes advertised by satellite by checking the "Accept published Routes" check box under Satellite Configuration -> Route Filter. '4. Satellite Configuration' Network -> IPSec Tunnel : 1. Create a new IPSec Tunnel and select the type as'' GlobalProtect Satellite''. Add the tunnel interface, portal configuration and the interface thta can reach the portal address. : *under the Advanced Tab: : To have the satellite advertise the routes to gateway by checking the "Publish all static and connected routes to Gateway" to advertise all the static and connected routes or only selected routes by adding the subnets. *Commit. 'Test the connection' ( Network -> IPSec Tunnel ) Click on the name of the tunnel and enter the credentials to authenticate to the portal. *Tunnel status should turn green once the satellite connects to the portal and the gateway. 'Troubleshooting' GlobalProtect Login Fails when using Group in the Allow List: "Reason: User is not in allowlist" *https://live.paloaltonetworks.com/docs/DOC-4706 'COMMANDS:' To see Group Names: *''show user group list'' *EX of group name: cn=iteam,ou=groups,dc=casselsbrock,dc=lan To see group members listed under a specific group: *''show user group name "'"'' *Output example of command'' ''show group name "cn=iteam,ou=groups,dc=casselsbrock,dc=lan" *show user ip-user mapping details yes'''